HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-14151Published Modified CNA Chrome

CVE-2026-14151: Inappropriate implementation in AI in Google Chrome prior to 150

Inappropriate implementation in AI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
150.0.7871.47
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the AI subsystem of Google Chrome versions prior to 150.0.7871.47. An attacker who has already compromised the Chrome renderer process can exploit this flaw remotely by serving a crafted HTML page to a victim, breaking out of the browser sandbox and gaining capabilities outside the normally isolated rendering environment. Successful exploitation gives the attacker high-impact read, write, and denial-of-service control over confidential data, application integrity, and service availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-14151 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against all customer registry images and CI/CD pipeline stages, including custom-built Chrome-based container images. Any image running a Chrome version below 150.0.7871.47 is flagged automatically.

Available
Triage

HarborGuard triage capability applies the CVSS 3.1 score of 9.6 (Critical) to findings for this CVE, weighted against each customer organization's per-environment compliance policy, and routes alerts to the appropriate team inbox based on configured severity thresholds and ownership rules.

Available
Patch

A patched-image rebuild targeting Chrome 150.0.7871.47 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim over the network by delivering a crafted HTML page, making internet or intranet exposure to untrusted content a prerequisite.

  • AuthenticationNot required

    No authentication is needed; the attacker only needs the victim to load a malicious page, with no account or credential barrier in place.

  • Victim interactionRequired

    The victim must visit or be directed to a crafted HTML page, meaning some degree of social engineering or link delivery is required to trigger the exploit.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, provided the renderer process has already been compromised.

Blast Radius

  • Attacker breaks out of the Chrome browser sandbox, gaining execution capabilities in the host process context beyond the isolated renderer.
  • Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable by the attacker.
  • The attacker can modify application state or persisted data reachable from the escaped sandbox context, including browser profile data and locally cached content.
  • The attacker can crash or destabilize the affected service, causing denial of availability for the browser instance and dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-14151 is active across all connected environments, matching images against the affected Chrome version range on every ingest cycle. Where compliance policy permits, a patched-image rebuild at Chrome 150.0.7871.47 is queued automatically upon detection. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; for critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers without auto-remediation receive a prioritized finding with fix-version details and can trigger the rebuild manually from the HarborGuard dashboard.

See how HarborGuard automates this

Fix available

150.0.7871.47
Affected packages
  • Google / Chrome
    < 150.0.7871.47 (from 150.0.7871.47)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H